ArticlePDF Available

An approach to potential risk analysis of networked chemical plants

Authors:
Akio Shindo
Akio Shindo
Akio Shindo
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Hiroshi Yamazaki
Hiroshi Yamazaki
Hiroshi Yamazaki
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Akifumi Toki
Akifumi Toki
Akifumi Toki
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Reiko Maeshima
Reiko Maeshima
Reiko Maeshima
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Show all 6 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

In order to cope with severe competition in the global market, the local area network installed inside the plant site has been connected with the Internet for exchanging business information among globally distributed plant sites. Though the information systems have given benefits through such open architecture, there are various risks as the result of the application of network technologies. Much attention, therefore, has to be paid for chemical plant failures caused by triggering from outside parties. One of the common technological interests is a risk analysis method of network events that allows illegal access to the digital control system (DCS). In this paper, the authors present a unified approach to generate fault tree and event tree structures between a network access and an anomaly of process plant. To illustrate the validity of the proposed method, a typical networked chemical plant is taken as an example and analyzed. The present research will make clear what parts are most important for the plant security.
Figures - uploaded by Ichiro Koshijima
Author content
All figure content in this area was uploaded by Ichiro Koshijima
Content may be subject to copyright.
Content uploaded by Ichiro Koshijima
Author content
All content in this area was uploaded by Ichiro Koshijima on Oct 10, 2017
Content may be subject to copyright.
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
Computers and Chemical Engineering 000 (2000) 000000
An approach to potential risk analysis of networked chemical
plants
Akio Shindo
a
, Hiroshi Yamazaki
b
, Akifumi Toki
c
, Ichiro Koshijima
d,
*,
Tomio Umeda
d
a
Department of Management Information Systems,Nagoya Uni6ersity of Commerce and Business Administration,Japan
b
Industrial Systems Department,Project Systems Di6ision,JGC Corporation,Japan
c
SI Technology Center,Chiyoda Corporation,Japan
d
Department of Project Management,Chiba Institute of Technology,
2
-
17
-
1
Tsudanuma,Narashino,Chiba,Japan
Abstract
In order to cope with severe competition in the global market, the local area network installed inside the plant site has been
connected with the Internet for exchanging business information among globally distributed plant sites. Though the information
systems have given benefits through such open architecture, there are various risks as the result of the application of network
technologies. Much attention, therefore, has to be paid for chemical plant failures caused by triggering from outside parties. One
of the common technological interests is a risk analysis method of network events that allows illegal access to the digital control
system (DCS). In this paper, the authors present a unified approach to generate fault tree and event tree structures between a
network access and an anomaly of process plant. To illustrate the validity of the proposed method, a typical networked chemical
plant is taken as an example and analyzed. The present research will make clear what parts are most important for the plant
security. © 2000 Elsevier Science Ltd. All rights reserved.
Keywords
:
Networked plants; Risk analysis; Fault tree analysis/Event tree analysis; Cyber terrorism
www.elsevier.com/locate/compchemeng
1. Introduction
In the past two decades, chemical plants have been
operated with highly integrated computer networks.
Due to the rapid change of production demands, infor-
mation regarding customers’ need has to be collected
on real time basis to cope with severe competition in
the global market. Many companies have to organize
globally distributed manufacturing sites, which share
the role of companies’ production and sales of chemical
products. In order to create an agile manufacturing
system, the local area network installed inside the site
has been connected to the internet for exchanging busi-
ness information among globally distributed plant sites
and deployed as an intranet. Though the information
network systems have yielded benefits through such
open architecture, there are various risks as the result
of the application of network technologies. One typical
risk is an operational trouble caused by attacking cyber
terrorists. Under the circumstance of open network, it
is very important to maintain the systems to be on the
high level of information security, because operational
decisions on a computer-integrated chemical plant have
been relied upon business information obtained
through the Intranet. This means that there are some
potential risks for chemical plant operation to be dis-
tributed by the undesired impacts from outside the
manufacturing sites. Though the scope of chemical
plant safety has been limited within the plant sites in
the past, much attention has to be paid for chemical
plant failures caused by triggering from outside parties.
This paper is concerned with plant safety form the
viewpoint mentioned above. One of the common tech-
nological interests is the event sequence analysis with
system dynamics. The attackers will try to cause fail-
ures by triggering from computer network due to open
network architectures. The troubles of plant operations
have to be avoided by maintaining the high level of
security. The present research will make clear what
* Corresponding author.
E-mail address
:
ikoshi@roy.hi-ho.ne.jp (I. Koshijima)
0098-1354/00/$ - see front matter © 2000 Elsevier Science Ltd. All rights reserved.
PII: S0098-1354(00)00327-6
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000000
2
parts are most important from the viewpoint of plant
security.
2. Problem statement
In a design phase, the fault tree analysis (FTA) gives
satisfactory results for a risk analysis of large chemical
plants. To proceed the FTA, it has been assumed that
process equipment and operator’s actions are the analy-
sis targets and a digital control system (DCS) should
work correctly without hardware and software errors.
These assumptions have been appropriate so far, be-
cause the DCS has been designed as a private system by
DCS vendors and has only been accessed by secured
operators. It is, however, difficult to assure integrity of
open-networked chemical plant, because there are some
degrees of possibility that the DCS is accessed or
falsified by outsiders through the network as shown in
Fig. 1.
In order to extend the framework of plant risk
analysis to the associated network, it is necessary to
define system boundaries, i.e. physical boundaries and
logical boundaries.
2
.
1
.Physical boundaries defined by related equipment
There is no objection to select ‘‘ the Internet router
to be a target of attack’’ as the outer battery limit of
the system. Fig. 2 shows a possible intruding path from
the router to critical information inside the plant by
breaking through security gates shown in Fig. 1. In Fig.
2, intrusion takes time from left to right and increase
the degree of risk from bottom to top. According to
Fig. 2, security gates are broken in node C1 (fail in
access control), C2 (intrude to network), D2 (get higher
user ID) and/or E3 (intrude to DCS). The plant, how-
ever, is shutdown normally with interlocks and other
safety devices installed in the plant, and is led to node
D6 (normal operation with isolated DCS), E6 (normal
shutdown triggered by interlock). The plant may fall
into a real abnormal state in the node H6 (fatal acci-
dent). There is a potential risk that F3 (intrude to DCS)
may cause F4 (alter control parameters), because E3 is
the final gate. Therefore, the inner battery limit of the
system shall be ‘DCS to be a target of intrusion’.
2
.
2
.Logical boundaries defined by a possible scenario
Though there are various scenarios for intrusion to
the network, the following scenario shown in Fig. 3 is
the essence of intrusion. In this scenario, there are the
following six steps:
1. access to a network PC;
2. log into a computer that can change DCS functions;
3. execute a command that can change DCS functions;
4. output wrong control signals;
5. make wrong actions;
6. generate process anomalies.
3. Applied method
In the present study, the authors would try to extend
FTA by covering the following technical issues.
1. Dynamics caused by structure change
Fig. 1. Typical configuration of networked chemical plant.
Fig. 2. Structure of security risks on networked chemical plant.
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000000
3
Fig. 3. Concerned scenario for FTA from an illegal access to process
anomalies.
to process anomalies propagated among three subsys-
tems, two-step approach should be taken to generate a
tree structure in FTA.
1. First step: plant-side FTA
As the top event, process anomalies should be
assumed and bottom events should be control
information in the control logic for DCS.
2. Second step: network-side FTA
Its top events should be target control informa-
tion in the control logic file and bottom events
should be login to a certain PC on the network.
3
.
1
.Plant-side FTA
Various approaches on fault tree (FT) synthesis
(Kuo, Hsu & Chang, 1997; Lapp & Power, 1997) have
been proposed in the literature for process plants. How-
ever, there is no report that extends bottom events of
fault tree to either control logic or its control parame-
ters. To generate FT for plant-side, at least following
tasks should be performed.
1. Specification of process anomaly.
2. Extraction of control devices related to the anomaly
using a cause and effect network transformed from
P&ID.
3. Extraction of related logic codes and its linkage by
tracing inputs and outputs connection among stored
logic as shown in Fig. 4.
4. Synthesis of fault tree based on the extracted logic
path, inputs, outputs or parameters as shown in Fig.
5.
5. Identification of DCS files that store the following
information
Fig. 4. Extraction of logic path form field devices to top DCS logic.
Fig. 5. Synthesis of fault tree for logic code.
Especially network system changes its physical
configuration by adding or removing network
devices and changes its logical configuration by
starting and stopping network devices;
2. Dynamics caused by event propagation
The control logic bridges event propagation
among process plant, DCS and network devices.
In the configuration shown in Fig. 1, the overall
system is divided into three subsystems, such as the
network subsystems, DCS subsystem and the plant
subsystem. Because the causes of troubles from a login
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000000
4
Fig. 6. Model of authentication mechanism.
3
.
2
.Network-side FTA
On the network, various devices, files, commands
and applications are directly or indirectly related to the
potential risks, if they are not properly managed. It is
difficult to examine all factors respectively, because of
their diversity. To cope with this diversity, a unified
model should be developed. On most operating sys-
tems, every computing resource is managed as a file
image and, therefore, authentication of file access is a
key factor for risk management.
The authentication mechanism is modeled as shown
in Fig. 6. In this model, every command accesses a file
image with referring file’s restriction and user’s privi-
lege. After passing security check gate, the file is iden-
tified as a device, command or data-file. This model,
therefore, can be recursively applied to generate a fault
tree for any devices, data-file, commands, applications
and their combinations.
To generate FT for network-side, the following tasks
should be performed by using the above model.
1. Extraction of login-paths
It is necessary to specify how to reach the target
hosts by using host’s and user’s information.
Step 1: Extraction of computers that can commu-
nicate with the target computer.
Step 2: Specification of users who can log in to
the extracted computer in Step 1.
Step 3: Extraction of computers that can be re-
motely logged in by the specified user in Step 2.
Step 4: Extraction of all possible combinations of
computers and users by repeating the above three
steps.
2. Extraction of file access paths
When login-path are extracted, it is necessary to
specify how to reach the target file (or command)
and how to change the target information.
Step 1: Specification of target file
Step 2: Extraction of all files by using the authen-
tication model mentioned above.
Step 3: Generation of all possible linkages of files
by repeating the above two steps.
Step 4: Synthesis of fault tree structure where all
files related to the target files are interpreted as a
fault tree.
Step 5: Synthesis of event tree structure where
Fig. 7. Combination of fault tree and event tree for security check
structure.
Fig. 8. Integrated FTs for networked chemical plant.
5.1. inputs or outputs located at the end of the
above fault tree;
5.2. all parameters;
5.3. all logic codes.
Fig. 9. Simulation environment.
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000000
5
Fig. 10. Overview of LNG receiving terminal simulator.
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000000
6
each security check is described as an event node.
Step 6: Synthesis of combined tree of the above
event trees and fault trees as shown in Fig. 7. In
Fig. 7, security checks A, B and C show event
gate that triggers anomaly, and fault trees FT-A,
FT-B and FT-C estimate probability of the event,
respectively.
After generating the plant-side FT and the network-
side FT, two FTs are integrated as shown in Fig. 8.
4. Illustrative example
In this section, the application of the proposed
method to a critical life-line plant will be presented. A
LNG receiving terminal and its evaporating plant is
selected for evaluation, because LNG becomes a major
clean energy resource for electric power plants in Japan.
Its supply also plays an important role in an indepen-
dent power business that requests demand-based opera-
tion (a kind of supply chain management).
In order to evaluate the proposed method, we devel-
oped a plant dynamic simulator, a DCS simulator and
a network simulator as shown in Fig. 9. Each simulator
is intensively modeled by taking an actual configuration
and function of typical LNG receiving terminal into
consideration. The system feature of each simulator
implemented on Gensym G2 is shown as follows (Fig.
10).
1. Plant simulator:
It simulates process dynamics and malfunction of
process and control devices. It includes 285 pro-
cess equipments with 204 control devices.
2. DCS simulator:
It simulates DCS control function including auto-
matic start-up, shut-down and demand based load
control for open rack vaporizer (ORV). It exe-
cutes 170 DCS logics with 961 inputs and 1197
outputs.
3. Network simulator:
It simulates three major functions.
3.1. UNIX OS functions including file access,
network access and command execution.
3.2. Computers and network devices on the plant
network.
3.3. Network connection.
Plant simulator and DCS simulator are located on
machine-A and DCS simulator on machine-B. Ma-
chine-A and B are connected by ethernet. Man-machine
I/F (MMI) is also installed for emergency training
programs.
Authentication mechanism of commands selected,
such as UNIX ‘su’, are analyzed and modeled as shown
in Fig. 11. In this example, ‘user-name’ and ‘passward’
are the input information; ‘su’ and ‘passwd’ are execu-
tion commands to change the current user status.
The prototype tool is installed on machine-B. In
order to assess a network risk, top event has to be
selected and the tool automatically synthesizes a plant-
side FT. Fig. 12 shows an example of plant-side FT
where the top event is an anomaly on the outlet pres-
sure control. Eight parameters, ten process variables,
eleven calculated variables and eight control logics
stored in the DCS are listed as bottom events of the
FT. Because these data may be stored in several sepa-
rate data-files or working memory in practice, a single
break affects several items at once.
In the prototype tool, user can interactively select a
popup-menu on each bottom event to create a network-
side FT. Fig. 13 shows a part of generated network-side
FT for accessing the main header pressure, and shows
all possible paths and command sequences to change
the main header pressure. A rhombus on the figure
shows an event gate, and number of rhombus on the
path qualitatively shows a difficulty for illegal
intrusion.
5. Concluding remarks
A FTA-based risk analysis method on a networked
chemical plant has been developed and its core al-
gorithms were evaluated on a realistic environment.
Because the proposed method consistently synthesizes
the fault trees on both plant and network, the quality of
risk assessment can be significantly improved.
Further study is, however, necessary to practically
define probability of fault data for computer operation
and network access to settle a secure DCS environment
against emerging internet era.
Fig. 11. Example of security check mechanism.
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000000
7
Fig. 12. Generated plant-side FT for anomaly on outlet pressure control.
Fig. 13. Generation of network-side FT for a specified control parameter.
Acknowledgements
The author wish to express sincere appreciation to
the Ministry of International Trade and Industry and
the Information-technology Promotion Agency, Japan
for supporting the present study and for permitting the
publication of this paper. We also express sincere ap-
preciation to MITI’s Committee on the Large Scale
Plant Network Security for their valuable feedback.
References
Kuo, D. H., Hsu, D. S., & Chang, C. T. (1997). Computers &
Chemical Engineering,
21
, S923.
Lapp, S. A., & Power, G. J. (1997). IEEE Transactions of Reliability,
R-26
,2.
.
... The study further compared the results from applying STPA and conventional HAZOP analysis to ship-to-ship transfer system of LNG. Shindo et al. (2000) developed an approach by combining FTA and ETA for risk analysis of a networked chemical plant. The validity of the approach was tested by applying it to assess the risks of LNG receiving terminal. ...
... After critically scrutinizing the identified literature, our analysis resulted in 47 journal articles (Shindo et al., 2000;Kim et al., 2005;Ochiai et al., 2005;Ronza et al., 2006;Han et al., 2008;Vanem et al., 2008;Raj and Lemoff, 2009;Yun et al., 2009;Nwaoha et al., 2010Nwaoha et al., , 2011Nwaoha et al., , 2013Vinnem, 2010;Parihar et al., 2011;Tanabe and Miyake, 2011;Keshavarz et al., 2012;Khalil et al., 2012;Li and Huang, 2012;Rathnayaka et al., 2012;Berle et al., 2013;Chu et al., 2013;Aneziris et al., 2014;Dan et al., 2014;Elsayed et al., 2014;Martins et al., 2014Martins et al., , 2016Mcinerney et al., 2014;Noh et al., 2014; Maschio, 2014a, 2014b;Ahmed et al., 2015;Giardina and Morale, 2015;Lee et al., 2015;Martinez and Lambert, 2015;Fu et al., 2016;Yeo et al., 2016;Ahn et al., 2017;Jeong et al., 2017;Renjith et al., 2018;Baalisampang et al., 2019;Badida et al., 2019;George et al., 2019;Kong et al., 2019;Li and Tang, 2019;Sultana et al., 2019;Yoon et al., 2019;Leoni et al., 2019) and 19 conference papers (Melani et al., 2014;Dogliani, 2002;Bozzolsco, 2005;Ballesio et al., 2009;Spitzenberger, 2009;Kolodziej et al., 2009;Chin et al., 2010;Montewka et al., 2010;Skramstad et al., 2010;Rold� an et al., 2012;Souza et al., 2012;Benyessaad et al., 2013;Chu et al., 2014;Devkaran, 2014;Melani et al., 2014;Hamedifar et al., 2015;Zhao et al., 2015;Jewitt, 2016;Stavrou et al., 2016;Hogelin et al., 2018). ...
Application of risk analysis in the liquefied natural gas (LNG) sector: An overview
Article
  • Oct 2019
  • J LOSS PREVENT PROC
In recent years, the global demand for liquefied natural gas (LNG) as an energy source is increasing at a very fast rate. In order to meet this demand, a large number of facilities such as platforms, FPSO (floating production, storage and offloading), FSRU (floating storage and regasification unit) and LNG ships and terminals are required for the storage, processing and transportation of LNG. Failure of any of these facilities may expose the market, companies, personnel and the environment to hazards, hence making the application of risk analysis to the LNG sector a very topical issue throughout the world. To assess the risk of accidents associated with LNG facilities and carriers, various risk analysis approaches have been employed to identify the potential hazards, calculate the probability of accidents, as well as assessing the severity of consequences. Nonetheless, literature on classification of the risk analysis models applied to LNG facilities is very limited. Therefore, to reveal the holistic issues and future perspectives on risk analysis of LNG facilities, a systematic review of the current state-of-the-art research on LNG risk analysis is necessary. The aim of this paper is to review and categorize the published literature about the problems associated with risk analysis of LNG facilities, so as to improve the understanding of stakeholders (researchers, regulators, and practitioners). To achieve this aim, scholarly articles on LNG risk analysis are identified, reviewed, and then categorized according to risk assessment methods (qualitative, semi-qualitative or quantitative; deterministic or probabilistic; conventional or dynamic), tools (ETA, FTA, FMEA/FMECA, Bayesian network), output/strategy (RBI, RBM, RBIM, facility siting, etc.), data sources (OREDA handbook, published literature, UK HSE databases, regulatory agencies' reports, industry datasets, and experts’ consultations), applications (LNG carriers and LNG fuelled ships, LNG terminals and stations, LNG offshore floating units, LNG plants), etc. Our study will not only be useful to researchers engaged in these areas but will also assist regulators, policy makers, and operators of LNG facilities to find the risk analysis models that fit their specific requirements.
View
... The features of the public internet must be considered in the design of internet-based control systems in order to prevent them from attacks by outside hackers. The existing technologies such as plant firewall, user authentication, communication path encryption, access log and format conversion (Furuya, Kato and Sekozawa, 2000;Shindo et al., 2000) might be able to make the internet-based control systems safer but never be able to stop the attacks from malicious hackers. The nature of remote control also increases the safety risk to the processes since there might not be any local operators around the processes. ...
... The internet router is obviously the first target of attack if any malicious hacker tries to get unauthorised access into a local control system (Shindo et al., 2000). Figure 2 shows a possible intruding path from breaking the Firewall (Node A1) to causing a fatal accident (Node E5) through intruding into the intranet (Node A2), intruding into the control system (Node B2), altering control parameters (Node C3) and causing abnormal process conditions (Node D4). ...
A framework of security and safety checking for internet-based control systems
Article
Full-text available
  • Jan 2007
Internet-based control is a way of using the internet as a platform for remote monitoring and control operation. The obvious benefit is to enable remote monitoring and maintenance of process plants and to initiate global collaboration and data sharing between operators from geographically dispersed locations. However, connection to an open network and the use of universal technology present high safety and security risks to the new generations of control systems. Are we opening up our internet-enabled control systems for trouble since a number of malicious hackers continually attack web servers on the internet? The new type of control systems will never be accepted by industries if people do not have enough confidence in their safety and do not feel secure by using the system. This paper presents a framework of security and safety checking, used in the design of internet-based control systems. Based on the existing measures of physical and network securities, such as firewall and comprehensive user-authorised access control, the framework proposed in this paper focuses on the security of control commands transferred over the internet, responding actions to malicious attacks and system safety. An internet-based control system for a process rig is used as a case study to illustrate the implementation of the framework.
View
... How to construct Fault Tree for evaluation of security threats were discussed in our previous papers (Shindo, 2000, Yogo, 2011. In this paper, a systematic, qualitative and quantitative scheme is proposed to evaluate the effects of manipulation and concealment by cyber terrorists. ...
Conceptual Framework for Security Hazard Management in Critical Infrastructures
Article
Full-text available
  • Dec 2012
In this paper, the security improvement approaches for process plant instrumentation and process information systems are proposed. By dividing control and information systems into plural zones considering process dynamics under the proposed framework, higher possibility of cyber-attacks detection and operational accident prevention can be attained. Based on this framework, accidents caused by cyber-attacks are evaluated as a form of FTA created from detectability and reachability matrices made from process, operation and control (management) constraints. An example also illustrated to understand the proposed approach.
View
... How to construct fault trees for evaluation of security threats were discussed in our previous papers (Shindo, Yamazaki, Toki, Koshijima, & Umeda, 2000;Yogo, Toyoshima, Sun, Koshijima, & Hashimoto, 2011). In this paper, a systematic, qualitative and quantitative scheme is proposed to evaluate the effects of manipulation and concealment by cyber terrorists. ...
Safety securing approach against cyber-attacks for process control system
Article
  • Oct 2013
  • COMPUT CHEM ENG
After the appearance of Stuxnet, the safety assurance against cyber-attacks has been a serious problem for process control. For safety assurance, not only information system securing approaches but also process control original measures are necessary. In this paper, a new protection approach is proposed. Application of an information system securing technique called "zones and conduits" to process control is discussed. By dividing the control system network into plural zones, higher possibility of detecting cyber-attacks and preventing operational accidents can be achieved. By defining detectability and reachability matrices, zone division for cyber-attack detection can be designed.
View
... The Internet router is obviously the first target of attack if any malicious hacker tries to get unauthorized access into the local control system. Based on the research by Shindo et al. (2000), Fig. 1 shows a possible intruding path from breaching the Firewall (node A1) to causing a fatal accident (node E5) through intruding into the Intranet (node A2), intruding into the control system (node B2), altering control parameters (node C3), and causing abnormal process conditions (node D4). In Fig. 1 intrusion takes time from left to right and increases the degree of risk from bottom to top. ...
Safety and security checking in the design of internet based control systems
Conference Paper
  • Jul 2005
Internet-based control is becoming new generations of control systems, in which the Internet is used as a platform for global remote monitoring and control. The obvious benefit is to enable global collaboration and data sharing between operators from geographically dispersed locations. However, connection to an open network and the use of universal technology presents new problems that did not exist with the conventional design and construction of control systems, such as safety and security. This paper presents the safety and security checking procedures used in the design of Internet based control systems. A process control case study is used to illustrate the checking procedures.
View
A holistic framework for process safety and security analysis
Article
  • Aug 2022
  • COMPUT CHEM ENG
System safety analysis is crucial for preventing losses. To prevent losses, modern safety analysis tools need to capture both safety and security-related risks. This work proposes a holistic safety and security analysis framework that considers both the intentional and unintentional causation of risks. At first, the threats to a process system are identified, followed by analyzing the factors that may lead to these threats. Then the mechanisms to neutralize threats using safeguards are discussed. These steps are modelled in a Bayesian network (BN) framework to capture the probabilistic nature of the events and associated factors. The BN model is used to analyze the real-time risk. The proposed framework is used to study four scenarios. A comparison with previous works confirms that the proposed framework provides better understanding and analysis capabilities. This work will serve as a reference point for further development in integrated safety and security analysis.
View
Safety and security checking in the design of internet based control systems
Article
  • Jan 2005
Internet-based control is becoming new generations of control systems, in which the Internet is used as a platform for global remote monitoring and control. The obvious benefit is to enable global collaboration and data sharing between operators from geographically dispersed locations. However, connection to an open network and the use of universal technology presents new problems that did not exist with the conventional design and construction of control systems, such as safety and security. This paper presents the safety and security checking procedures used in the design of Internet based control systems. A process control case study is used to illustrate the checking procedures.
View
Ensure the Safety and Security of Internet-Based Control Systems
Article
Full-text available
The role real-time data encryption and risk analysis was investigated within the safety and security domains. Security risk analysis focuses on finding a way to stop malicious attacks from outside and to prevent loss as early as possible. A hybrid algorithm was employed to ensure the security of the real-time data transfer over the Internet by combining the Advanced Encryption Standard (AES) and RSA algorithms. A modified process control event diagram (PCED) was also proposed for the Internet-based control systems and the actions in order to ensure the safety of the Internet-based control systems through the modified PCED-based HAZOP analysis.
View
Process integration framework for business decision-making in the process industry
Article
Full-text available
  • Dec 2003
An integration framework of plant operation process and business decision-making process is proposed with a methodology for synchronous operation along the plant life-cycle. In this framework, concurrent tasks belonging to the both processes can be synchronously grouped in a certain amount of time-slice by matching with precedence among tasks. The grouped tasks, then, are work-shared by plant operation managers and business operation managers for increasing accuracy of decision and for decreasing idle times. The present research will make clear what parts are most important for the process integration in the chemical industry.
View
Safety and Security Checking
Article
  • Jan 2011
Internet-based control systems use the Internet as the communication medium to enable the remote monitoring and control of plants and to initiate global collaboration and data sharing between operators from geographically dispersed locations. However, connection to the Internet presents high safety and security risks to this new generation of control systems. Are we opening up our Internet-based control systems to trouble since a number of malicious hackers continually attack Web servers on the Internet? The new type of control systems will never be accepted by industry, if people do not have enough confidence in their safety and do not feel secure while using the system. This chapter presents a framework for security and safety checking used in the design of Internet-based control systems, which focuses on the security of control commands transferred over the Internet, actions to respond to malicious attacks, and system safety. The Internet-based control system introduced in Chap. 8 has been used as a case study to illustrate the implementation of the framework.
View
Computer-Aided Synthesis of Fault Tree
Article
  • May 1977
An algorithm is presented for the synthesis of fault-trees. The fault-tree is deduced directly from a digraph (directed graph) model of the system being analyzed. The digraph describes the normal, failed, and conditional relationships which exist between variables and events in the system. A computer program which uses this algorithm is illustrated for a chemical processing system.
View
A Prototype for Integrating Automatic Fault Tree/Event Tree/HAZOP Analysis
Article
  • May 1997
  • COMPUT CHEM ENG
The prototype of an integrated hazard analysis system IHAS has been developed in this study. Essentially any process can be analyzed with this software if the system topology is correctly supplied by user. Three widely accepted hazard assessment procedures, i.e. FTA, ETA and HAZOP, can be performed automatically. From the results obtained in practical applications, one can see that the quality of hazard analysis can be improved if IHAS is used as an aid to the human experts.
View
  • Jan 1997
  • S A Lapp
  • G J Power
Lapp, S. A., & Power, G. J. (1997). IEEE Transactions of Reliability, R-26, 2. .
  • Jan 1997
  • S923
  • Kuo